rms | 14dc985fce12f3c0294e18ab72b207bb21635c1669277846d77a10d7eafbb201

Analysis

max time kernel
147s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1fb7d97a44daaba69c94af9210ca79ac.msi
Size

6.6MB
MD5

1fb7d97a44daaba69c94af9210ca79ac
SHA1

ac2f6515778ac8ba9e4b085be176fe9ac485ca3c
SHA256

14dc985fce12f3c0294e18ab72b207bb21635c1669277846d77a10d7eafbb201
SHA512

9969202395171752af5fe618baa8bf08586c9a896bb4755af657a57489b830c0cd6c7f62faff817245695dc5bf7a82a7baf49f1f4f9065db07ae2c7e3cb8bbc3
SSDEEP

196608:3U91gsRVEXIL2s9WB7E/sO9nihY1nhIs:k9VRVr/Wm/P9ihYw

Score

10^/10

rms discovery persistence privilege_escalation rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\gdiplus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\oledlg.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\vp8encoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rwln.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\Logs\rms_log_2025-01.html	rutserv.exe
File created	C:\Windows\SysWOW64\sysfiles\rasadhlp.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\ripcserver.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\vp8decoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\sysfiles\rutserv.exe	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\microsoft.vc90.crt.manifest	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\msvcp90.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\msvcr90.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rfusclient.exe	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e585d30.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E19.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{A5DB67DC-DB0E-4491-B9F7-F258A02EE03C}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63C9.tmp	msiexec.exe
File created	C:\Windows\Installer\e585d2e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e585d2e.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A5DB67DC-DB0E-4491-B9F7-F258A02EE03C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E39.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6232.tmp	msiexec.exe
File created	C:\Windows\Installer\{A5DB67DC-DB0E-4491-B9F7-F258A02EE03C}\ARPPRODUCTICON.exe	msiexec.exe

Executes dropped EXE 12 IoCs

pid	Process
4644	rfusclient.exe
4804	rutserv.exe
2732	rfusclient.exe
920	rutserv.exe
4016	rfusclient.exe
940	rfusclient.exe
448	rutserv.exe
1056	rutserv.exe
880	rutserv.exe
4460	rfusclient.exe
2756	rfusclient.exe
4472	rfusclient.exe

Loads dropped DLL 18 IoCs

pid	Process
1480	MsiExec.exe
3620	MsiExec.exe
1620	MsiExec.exe
1620	MsiExec.exe
4644	rfusclient.exe
4644	rfusclient.exe
2732	rfusclient.exe
2732	rfusclient.exe
4016	rfusclient.exe
4016	rfusclient.exe
940	rfusclient.exe
940	rfusclient.exe
2756	rfusclient.exe
2756	rfusclient.exe
4460	rfusclient.exe
4460	rfusclient.exe
4472	rfusclient.exe
4472	rfusclient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
772	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfusclient.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rfusclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rfusclient.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\Version = "92536832"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\CD76BD5AE0BD19449B7F2F850AE20EC3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CD76BD5AE0BD19449B7F2F850AE20EC3\Remote_Office_Manager	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\PackageCode = "581A5F3336F54454B86DC84132CEC855"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\ProductIcon = "C:\\Windows\\Installer\\{A5DB67DC-DB0E-4491-B9F7-F258A02EE03C}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CD76BD5AE0BD19449B7F2F850AE20EC3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CD76BD5AE0BD19449B7F2F850AE20EC3\SourceList\PackageName = "JaffaCakes118_1fb7d97a44daaba69c94af9210ca79ac.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5016	msiexec.exe
5016	msiexec.exe
880	rutserv.exe
880	rutserv.exe
880	rutserv.exe
880	rutserv.exe
4460	rfusclient.exe
4460	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4472	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	772	msiexec.exe
Token: SeSecurityPrivilege	5016	msiexec.exe
Token: SeCreateTokenPrivilege	772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	772	msiexec.exe
Token: SeLockMemoryPrivilege	772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	772	msiexec.exe
Token: SeMachineAccountPrivilege	772	msiexec.exe
Token: SeTcbPrivilege	772	msiexec.exe
Token: SeSecurityPrivilege	772	msiexec.exe
Token: SeTakeOwnershipPrivilege	772	msiexec.exe
Token: SeLoadDriverPrivilege	772	msiexec.exe
Token: SeSystemProfilePrivilege	772	msiexec.exe
Token: SeSystemtimePrivilege	772	msiexec.exe
Token: SeProfSingleProcessPrivilege	772	msiexec.exe
Token: SeIncBasePriorityPrivilege	772	msiexec.exe
Token: SeCreatePagefilePrivilege	772	msiexec.exe
Token: SeCreatePermanentPrivilege	772	msiexec.exe
Token: SeBackupPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeShutdownPrivilege	772	msiexec.exe
Token: SeDebugPrivilege	772	msiexec.exe
Token: SeAuditPrivilege	772	msiexec.exe
Token: SeSystemEnvironmentPrivilege	772	msiexec.exe
Token: SeChangeNotifyPrivilege	772	msiexec.exe
Token: SeRemoteShutdownPrivilege	772	msiexec.exe
Token: SeUndockPrivilege	772	msiexec.exe
Token: SeSyncAgentPrivilege	772	msiexec.exe
Token: SeEnableDelegationPrivilege	772	msiexec.exe
Token: SeManageVolumePrivilege	772	msiexec.exe
Token: SeImpersonatePrivilege	772	msiexec.exe
Token: SeCreateGlobalPrivilege	772	msiexec.exe
Token: SeCreateTokenPrivilege	772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	772	msiexec.exe
Token: SeLockMemoryPrivilege	772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	772	msiexec.exe
Token: SeMachineAccountPrivilege	772	msiexec.exe
Token: SeTcbPrivilege	772	msiexec.exe
Token: SeSecurityPrivilege	772	msiexec.exe
Token: SeTakeOwnershipPrivilege	772	msiexec.exe
Token: SeLoadDriverPrivilege	772	msiexec.exe
Token: SeSystemProfilePrivilege	772	msiexec.exe
Token: SeSystemtimePrivilege	772	msiexec.exe
Token: SeProfSingleProcessPrivilege	772	msiexec.exe
Token: SeIncBasePriorityPrivilege	772	msiexec.exe
Token: SeCreatePagefilePrivilege	772	msiexec.exe
Token: SeCreatePermanentPrivilege	772	msiexec.exe
Token: SeBackupPrivilege	772	msiexec.exe
Token: SeRestorePrivilege	772	msiexec.exe
Token: SeShutdownPrivilege	772	msiexec.exe
Token: SeDebugPrivilege	772	msiexec.exe
Token: SeAuditPrivilege	772	msiexec.exe
Token: SeSystemEnvironmentPrivilege	772	msiexec.exe
Token: SeChangeNotifyPrivilege	772	msiexec.exe
Token: SeRemoteShutdownPrivilege	772	msiexec.exe
Token: SeUndockPrivilege	772	msiexec.exe
Token: SeSyncAgentPrivilege	772	msiexec.exe
Token: SeEnableDelegationPrivilege	772	msiexec.exe
Token: SeManageVolumePrivilege	772	msiexec.exe
Token: SeImpersonatePrivilege	772	msiexec.exe
Token: SeCreateGlobalPrivilege	772	msiexec.exe
Token: SeCreateTokenPrivilege	772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	772	msiexec.exe
Token: SeLockMemoryPrivilege	772	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
772	msiexec.exe
2756	rfusclient.exe
2756	rfusclient.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2756	rfusclient.exe
2756	rfusclient.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 1480	5016	msiexec.exe	85
PID 5016 wrote to memory of 1480	5016	msiexec.exe	85
PID 5016 wrote to memory of 1480	5016	msiexec.exe	85
PID 5016 wrote to memory of 2768	5016	msiexec.exe	108
PID 5016 wrote to memory of 2768	5016	msiexec.exe	108
PID 5016 wrote to memory of 3620	5016	msiexec.exe	110
PID 5016 wrote to memory of 3620	5016	msiexec.exe	110
PID 5016 wrote to memory of 3620	5016	msiexec.exe	110
PID 5016 wrote to memory of 1620	5016	msiexec.exe	111
PID 5016 wrote to memory of 1620	5016	msiexec.exe	111
PID 5016 wrote to memory of 1620	5016	msiexec.exe	111
PID 5016 wrote to memory of 4644	5016	msiexec.exe	112
PID 5016 wrote to memory of 4644	5016	msiexec.exe	112
PID 5016 wrote to memory of 4644	5016	msiexec.exe	112
PID 4644 wrote to memory of 4804	4644	rfusclient.exe	113
PID 4644 wrote to memory of 4804	4644	rfusclient.exe	113
PID 4644 wrote to memory of 4804	4644	rfusclient.exe	113
PID 5016 wrote to memory of 2732	5016	msiexec.exe	114
PID 5016 wrote to memory of 2732	5016	msiexec.exe	114
PID 5016 wrote to memory of 2732	5016	msiexec.exe	114
PID 2732 wrote to memory of 920	2732	rfusclient.exe	115
PID 2732 wrote to memory of 920	2732	rfusclient.exe	115
PID 2732 wrote to memory of 920	2732	rfusclient.exe	115
PID 5016 wrote to memory of 4016	5016	msiexec.exe	116
PID 5016 wrote to memory of 4016	5016	msiexec.exe	116
PID 5016 wrote to memory of 4016	5016	msiexec.exe	116
PID 5016 wrote to memory of 940	5016	msiexec.exe	117
PID 5016 wrote to memory of 940	5016	msiexec.exe	117
PID 5016 wrote to memory of 940	5016	msiexec.exe	117
PID 4016 wrote to memory of 448	4016	rfusclient.exe	119
PID 4016 wrote to memory of 448	4016	rfusclient.exe	119
PID 4016 wrote to memory of 448	4016	rfusclient.exe	119
PID 940 wrote to memory of 1056	940	rfusclient.exe	118
PID 940 wrote to memory of 1056	940	rfusclient.exe	118
PID 940 wrote to memory of 1056	940	rfusclient.exe	118
PID 880 wrote to memory of 4460	880	rutserv.exe	121
PID 880 wrote to memory of 4460	880	rutserv.exe	121
PID 880 wrote to memory of 4460	880	rutserv.exe	121
PID 880 wrote to memory of 2756	880	rutserv.exe	122
PID 880 wrote to memory of 2756	880	rutserv.exe	122
PID 880 wrote to memory of 2756	880	rutserv.exe	122
PID 4460 wrote to memory of 4472	4460	rfusclient.exe	125
PID 4460 wrote to memory of 4472	4460	rfusclient.exe	125
PID 4460 wrote to memory of 4472	4460	rfusclient.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fb7d97a44daaba69c94af9210ca79ac.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AFDB6E2A78180F933FB6C9CBF598A8A1 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1480
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2768
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B0FEF5D1C514BCA33243179B00920207
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3620
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C262CE7A0DF39366D77B7B0A3FA4DC23 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1620
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /silentinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /silentinstall
    3⤵
    - Drops file in System32 directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4804
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /firewall
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:920
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /start
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:448
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /CONFIG /SETSECURITY
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /CONFIG /SETSECURITY
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:996

C:\Windows\SysWOW64\sysfiles\rutserv.exe
C:\Windows\SysWOW64\sysfiles\rutserv.exe
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\sysfiles\rfusclient.exe
    C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: SetClipboardViewer
    PID:4472
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIAB92.tmp

Filesize
121KB

MD5
1b05788b22e09f5f4282f06a1686ba1f

SHA1
498731c17f45e748dd0bfcc80c131fc085c3a09b

SHA256
59e01be05ff86875979c3acdd556eb6bb95fe899340705aaedd8743eaa8dea7f

SHA512
6bb119f189e78cb0118f7f4aa32c475287ca1ed88d3b2ee2a09cc53b22bf613e4f1678470ddd58b49ff5996f929d9f39dde3597fa53291365ad3ba522c749749

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5E96.tmp

Filesize
54B

MD5
ae5ce323640cfae9e20d8e11f5d4fc5c

SHA1
3966f66810e7567ea056c2d64d61f0a72c914070

SHA256
19cf22824cb1fe6a0986510c15d3326882c1545a5e0ce11b84910ecc8962d428

SHA512
e780fd7f80c24052c6546ae867fb3d7233d3f66f0ef38b9c8cf01a1f5a7747b9cc00e6347ce19168bbcb2242baedc52f3e2b926e02036a78fb3d9d88209da5d2

Download Submit
C:\Windows\Installer\MSI5E39.tmp

Filesize
165KB

MD5
b9be841281819a5af07e3611913a55f5

SHA1
d300645112844d2263dac11fcd8298487a5c04e0

SHA256
2887c57b49ce17c0e490aa7872f2da51321e2dde26c04ab7a6afcde9eab005d9

SHA512
7393bade0f42794279660f66aad4f4bd7dae63ff29ff19be4c4c86a4c26cf7291af1514e1475e96c2169536747c08beeec8bda30eecfb5da476709c19062b2e0

Download Submit
C:\Windows\SysWOW64\sysfiles\RWLN.dll

Filesize
357KB

MD5
bb1f3e716d12734d1d2d9219a3979a62

SHA1
0ef66eed2f2ae45ec2d478902833b830334109cb

SHA256
d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077

SHA512
bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

Download Submit
C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll

Filesize
234KB

MD5
8e3f59b8c9dfc933fca30edefeb76186

SHA1
37a78089d5936d1bc3b60915971604c611a94dbd

SHA256
528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8

SHA512
3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

Download Submit
C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll

Filesize
1.6MB

MD5
ff622a8812d8b1eff8f8d1a32087f9d2

SHA1
910615c9374b8734794ac885707ff5370db42ef1

SHA256
1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

SHA512
1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

Download Submit
C:\Windows\SysWOW64\sysfiles\gdiplus.dll

Filesize
1.6MB

MD5
871c903a90c45ca08a9d42803916c3f7

SHA1
d962a12bc15bfb4c505bb63f603ca211588958db

SHA256
f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645

SHA512
985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145

Download Submit
C:\Windows\SysWOW64\sysfiles\msvcp90.dll

Filesize
556KB

MD5
b2eee3dee31f50e082e9c720a6d7757d

SHA1
3322840fef43c92fb55dc31e682d19970daf159d

SHA256
4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01

SHA512
8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

Download Submit
C:\Windows\SysWOW64\sysfiles\msvcr90.dll

Filesize
637KB

MD5
7538050656fe5d63cb4b80349dd1cfe3

SHA1
f825c40fee87cc9952a61c8c34e9f6eee8da742d

SHA256
e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099

SHA512
843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

Download Submit
C:\Windows\SysWOW64\sysfiles\oledlg.dll

Filesize
4KB

MD5
d3f47f9ef1d3c358446c3680021e98ac

SHA1
5c50ab5a79d770a1e5ad43378d69d218de3ec4e6

SHA256
52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede

SHA512
eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

Download Submit
C:\Windows\SysWOW64\sysfiles\rasadhlp.dll

Filesize
3KB

MD5
8679b09cc9600a1f11a3c09cec12637b

SHA1
cad5c92e561b64d1f4e1f70c7596dcf186304ecb

SHA256
7e840982833d4c4d68835003960762fa3982c899ac1c8b63e4fdbbb35448152f

SHA512
93a8d0e78932793ccd534c17c48af203665d7b3d326d7b21b2b4aa54925a853e674324774fa9a99194eca7a930d504568095529a6b6a2e63b73f0c719bc424e6

Download Submit
C:\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
3.9MB

MD5
75e3b4ab9bf87989889d58096829f83f

SHA1
c4cfbad8dc6992a25af6274b77e71af0cb27698f

SHA256
f25a6a1647a3ab451b179875af42358d650087c0c4a2ad8adb9f4a3e03ad3852

SHA512
201e75a2d73d1fde0f3c4a71cdfefe63be6e8a1206ce0a32b8ddbdecc7cbfb8a61ce8bdb953048f4a74cb810dc76e449e1400e5ccc9c883b5b0531e020e37ca3

Download Submit
C:\Windows\SysWOW64\sysfiles\ripcserver.dll

Filesize
144KB

MD5
30e269f850baf6ca25187815912e21c5

SHA1
eb160de97d12b4e96f350dd0d0126d41d658afb3

SHA256
379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90

SHA512
9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

Download Submit
C:\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.6MB

MD5
82d926146575664a89ceaa7d48a5f8e8

SHA1
1d1ea362ffdc6df930e146f1e4ca428a4383bf5d

SHA256
3a70a74d21f12e58b97697821d036a7b64571b5a0dd3832d31ba27a23dc37dd1

SHA512
494fec439d62defdc80e017d98d8d710b2d67ab5fbd3226e301885afed63ee0f452c4d4d6040d504d36ea8e1042cfff3cd727bf96e9c74176a70752504d8a790

Download Submit
C:\Windows\SysWOW64\sysfiles\vp8decoder.dll

Filesize
403KB

MD5
6f6bfe02e84a595a56b456f72debd4ee

SHA1
90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2

SHA256
5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51

SHA512
ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

Download Submit
C:\Windows\SysWOW64\sysfiles\vp8encoder.dll

Filesize
685KB

MD5
c638bca1a67911af7f9ed67e7b501154

SHA1
0fd74d2f1bd78f678b897a776d8bce36742c39b7

SHA256
519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8

SHA512
ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
67eaf42d99adb8156784c7bef00f0f9c

SHA1
b66a0aee6d10618005cf2d7c733d759d5aa5fdb6

SHA256
d5a15aa676230261b3663f3a685607a497241e05a5b3500fa5784a6ce8df2b58

SHA512
14300ae31b61e170d8e29ab7d3887a139a13dbd961fb4caa12d1a90fe345a8e49ff9fb3cfeaea08111cf26e1c1dba92690ede43a078f7c708ab785c95dd8c72d

Download Submit
\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a7d2375a-8f64-461e-b051-fd7695f7060b}_OnDiskSnapshotProp

Filesize
6KB

MD5
8cadf1596b9979ea294bba559f4406c5

SHA1
f4293e12b5f40a792101943d1766bae2b3d9e9bb

SHA256
1b8e9bd7f7f40473baa999b6d9d8b94ee73d5ea56293eaf3bbf8597f51305b6e

SHA512
1e945cea3017b7b13fec6c771903c4790d32d0b76c21485c7043c8f93ec0a36dd1292fc972c5d24ddf0d4f144ce7c6140dc0f83eb6c66e00419107af70ad986e

Download Submit
memory/448-95-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/880-128-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/880-111-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/920-69-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/940-109-0x0000000000980000-0x0000000000986000-memory.dmp

Filesize
24KB

Download
memory/940-108-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/1056-147-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/1056-137-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/1056-127-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/1056-155-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/1056-118-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/1056-110-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/1056-164-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/2732-70-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/2732-71-0x0000000000A90000-0x0000000000A96000-memory.dmp

Filesize
24KB

Download
memory/2756-114-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/2756-115-0x00000000009B0000-0x00000000009B6000-memory.dmp

Filesize
24KB

Download
memory/2756-122-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/2756-131-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/4016-98-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/4016-99-0x0000000000980000-0x0000000000986000-memory.dmp

Filesize
24KB

Download
memory/4460-113-0x00000000008B0000-0x00000000008B6000-memory.dmp

Filesize
24KB

Download
memory/4460-112-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/4472-105-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/4472-106-0x00000000008F0000-0x00000000008F6000-memory.dmp

Filesize
24KB

Download
memory/4644-63-0x0000000000400000-0x000000000086D000-memory.dmp

Filesize
4.4MB

Download
memory/4644-64-0x00000000008C0000-0x00000000008C6000-memory.dmp

Filesize
24KB

Download
memory/4804-62-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download